Basic

9. IKEv1 and iPsec Deep Dive

Is an Internet key interface. And the Internet Key Exchange is actually the Internet Key Exchange. I don't know where I put the Internet key interface. It is the Internet Key Exchange protocol that is used in the IP Set protocol suite to establish security associations or essays. Okay? IPOs upon the Oakley Protocol and Isaac Camp. And it comes in two phases. The first phase, which is the scope of phase one, is to negotiate a secure transmission channel between VP and end points. Okay? So between two end points, which means that between the two routers in phase one, the two routers are trying to negotiate a VPN transmission. And the first thing that they're trying to do is that they try to find a common secret key that comes via the default herman exchange, additional keys that derive from common secret keys. And in phase one, it secures parts of the phase one negotiation and is present to secure the phase two negotiation. Okay? In phase two, negotiation is IP SEC, of course, which we are also going to talk about in phase one. There are a couple of modes that you can run in phase one, which is the Ike version one configuration. And you can run in either main mode, which is the default, or aggressive mode, right? In main mode, usually seen in side-to-side VPN connections, it uses three bi-directional message exchanges or six uni directional.The first four messages are in cleartext and the last two are encrypted. If you want to protect the identity of the endpoints, you'll want to encrypt the last two messages. When using an Ike version one or Ike version two, aggressive mode is commonly seen in remote access VPNs. Well, Ike version one, Cisco does not recommend anymore, actually.You won't be able to do it. Okay, version one of the remote access VPN? But it uses three-unit directional messages. The last message is encrypted, but it's not mandatory. In site to site VPN or main mode, it is mandatory and it does not protect the identity of the end points If you do not encrypt the last message, The phase one negotiation parameters during phase one, these are the parameters that we're going to negotiate and need to match between the two end points, right? So authentication, encryption, hashing, and therefore have a group number. And there are negotiated parameters that do not need to match, which is the SA lifetime, which is the second, which is a common secret key lifetime, and it is negotiated to the lowest value between VPN peers. Phase two, we are going to talk about in another PowerPoint. So we are done with aggression, and what is the scope, right? The main scope is secure as part of phase one negotiation, and it secures phase two negotiation, which is to do the IPsec and the main mode and aggressive mode are the two modes for phase one. And here are the parameters that we're going to negotiate within. So let's go ahead and configure that phase one. This is to construct an IPsecor site-to-site VPN tunnel. So let's go ahead and do that. Let's go into router one and also bring up router two. And we are going to form or we're going to create that phase one configuration. So the way that we do that is by doing acrypto isacamp. Isocamp stands for just version one, okay? And then we have to create a policy. Following that, we must develop a priority policy. Let's just call it one. And here, what we need to do is to negotiate the parameters so they match between the two end points. So between router one and router two, they need to match these parameters that we're going to configure now in the policy. So we need to configure the way that we're going to authenticate the encryption method that we're going to use for the hashing and also the different group numbers. So let's go and do that encryption. We are going to be using three desk hashing which we are going to use in MD five. group number. which we are going to be using as a group number. The second authentication method that is going to be used can be done with a question mark. You can use a pressure key. An Rsaencr. which is a river encryption or man-made signature. But we are going to send a picture queue because we don't have an RSA. right? And this is everything we configure needs to match with the router too. So, if you show crypto isaac camp policyone or show crypto policy, you can see that we have configured a policy with a priority of one, right? And we have set that the encryption algorithm that we're going to be using on this endpoint is going to be a triple key hashing algorithm. It's message digest five. The pre-shared key different herman will be used for authentication. We're going to use group number two, or 1024 bits. Then the lifetime will have it as the default because it doesn't really need to match. So let's go ahead and do the same onR two, completing the crypto isocamp policy one. Encryption, remember, needs to match. So we need to do three desk authentication needs to match, which is a pressure key. Group number two needs to match, and the hash also needs to match, which is MD five. And if we do show crypto isacamp policy, you can see that these two match, right, because they need to match, otherwise we won't be able to create that. As you can see, phase one of the site-to-site tunnel, which is Ike version one, is matching between the two routers. So then after that, since we said that we were going to use an aperture key for authentication. We need to go ahead and create that pressure key. The way that you do that is with a crypto isocamp key. Now we need to give it valid CCMP security and an address. And this needs to match the IP address of the other endpoints, which is rather two IP addresses, which is 20. The one, that one, the two. There we go. So now we need to do the same over here. Do a crypto isacamp key to value CMP security because it needs to match, and then the address because it needs to have the address of the other endpoint. And there it is. So that has been configured. Crypto isacam key CMP security, as well as crypto isacam key CMP security So that has been configured. If you want to do a show command, you can do show crypto isekamp I believe it's key. There we go. So we have a key for the remote endpoint, which is 21 to one. Those two. And the pre-shared key that we set up for CCMP security must be compatible with the other end. So if we do a show, do we do showcrypto isacamp key or do we do showcrypto isacam key? Yup, there it is, the remote address of the other end points and the depleture key, which is CCMP security. And they need to match, otherwise they won't be able to form the first phase one, which is the first time that we are creating with Ike version one. So we are done with the configuration of phase one. So now let's go ahead and talk about phase two, which involves IPsec. What is IPsec? Right. You may say, well, some of the above protocols can span between sites and provide some segmentation. They don't necessarily protect the data itself. The reason for IPsec is to add that extra security. And some of the benefits of IPsec include confidentiality with encryption integrity, which is a built-in mechanism to protect and discover any data that may have been altered in transit. Authenticity, which is the verification of who or what is sending the data, and zero dependability on the application. Those are the benefits of IPsec. In IPsec, you can either use the Authentication header or you can use the ESP,which is the encapsulated security payload. And like I said, IPC has two options that you can use. The lesser used Authentication header, we're not going to be using that. and the more popular Encapsulation security payload. And we're going to dig into the difference real quickly. The first one is the Authentication header. Nobody uses that. It gives you angular replay protection, data integrity, and authentication of data origin, but does not provide data confidentiality, so it does not encrypt the data, doesn't work with Nats, and uses IP protocol 51. The Encapsulation Security payload, which is the one that we're going to use in it,provides anti-replay the same as the authentication header,data integrity, the same as the authentication header. It also authenticates the same as AuthenticationHeader, but it provides encryption and data confidentiality, which AuthenticationHeader does not do. And it uses something called Natty or Nat Charsal to work with Nats. And it uses IP Protocol 50. Here is what the authentication headerIP package looks like. So here's the original package IP package. It has the IP header. The TCP header and the data What it does is it adds two extra headers, one of which is the Authentication Header. It puts a range between the IP Header and the TCP Header, and that way it sends its data, but it does not encrypt it. And here's how the ESP encryption works. So this is the original packet, and here it is in Transport Mode because there are two modes in ESP. One is called the transport mode packet. And what it does here is insert an aESP header into the TCP data so that it can be encrypted. And then it also adds this ESP authentication here and he uses the same IP. So when you see the Transport Mode package, people will know the origin of the IP address. Some people do not want that. So that's why a lot more people use the ESP Turnermode package, because what it does is it puts the entire original package inside the ESP header and trailer, right? So that way, everything is encrypted and we'll know where it is coming from. And then it just adds a new IPHeader at the end and the ESP authentication. That way, everything inside the original package or the original IP package is encrypted. And if people are sniffing the traffic, they won't be able to tell the original IP address from where it is coming from. Okay? And here is also why you could use AuthenticationHeader and ESP at the same time. And here is just how it looks, and not a lot of people do that, okay? And like I said before, there are two modes in ESP. One is Transport Mode and the other one is Toner Mode. Like I showed you over here. And in Transfer Mode, the IP set encrypts the traffic between the two hosts. Here there will be encryption only for the datapackage and now the IP header, like I said. However, in Toner Mode, IPsec creates a virtual tunnel between two subnets and this mode encrypts the data as well as the IP header. And that's why our dedicated engineers prefer theToner Mode in most VPNs, because the originalIP header will be encrypted and will be known to people sniffing the traffic. And here are some disadvantages to IPsec. And one of the greater disadvantages of IPsec is its wide access range. And given access to a single device in an inIPsec based network, it can give access privileges to other devices too, which is not good. And here's an example: For instance, imagine that you are connecting to a corporate network from your IPsec-based home network here. If any of the computers on your home network has malware in it, it can be easily spread to the computers on the corporate network, which is why a lot of people use remote VPNs now. They do not use IPsec, and there are also some compatibility issues. With the exception of BGP, every dynamic routing protocol relies on multicast. And to support multicast, you should use IPsec or GRE,which we're going to be doing in this video. It also uses a lot of CPU overhead. Like I said right here, IPsec is well known for its high CPU usage and also some scalability disadvantages, the more Ipsq connections you need. The more tones you have to create, the more you need to administer those tunnels, and it is only a point to point since it is only a point to point. It does not support multicast traffic andthis is it on this PowerPoint. So let's go ahead and configure. This is phase two of the site-to-site configuration. If we go ahead and go into this, let's go ahead and do this PowerPoint over here that I have. So for Ikev one, phase two, which is IPsec, which is what we were talking about, you can only run one mode, which is Quick mode. And Quick Mode has three unit directional messages that are secured by a key in phase one material. Okay, so phase one protects phase two,so aggression one protects IP SEC. Here are the parameters that are going to be negotiated and they also need to match just the same as in phase one. This is what they want to protect and how you want to protect it. So what you want to protect, you can either do a proxy ACL if you use an encrypted map, but since we are using a crypto map, we use an IP set. This doesn't matter how to protect it. We are going to be setting up the transform set and inside the transform set, this needs to match. So we need to match the encapsulationprotocol ESP or the authentication header. And like I said before, we are only going to use an ASP because Ax does not provide data confidentiality. So there is no encryption here, and you can use null encryption, three as GCM, AES, and GMAC, as well as hash MD Five, sha one, or shar two. In the toner mode, which is tonal or transport. Like I said, in tonal mode you won't know the original IP header and in transfer mode you will note the original IP header and some of the negotiated parameters that do not need to match, and the lowest values are negotiated and the highest values need to initiate the tonal. Here is how the control plane works in IPsec or phase two or in phase one. The control plane always starts on UDP 500. And if no device is detected, NAT traversal is negotiated and it is changed over to UDP 4500. And in phase two, the iPad control plane follows up on phase one. In phase one finishing on UDP 500, we are going to use UDP 500 and in phase one finishing on UDP 4500. Then we are going to use UDP 4500. Okay, so we already went over this stuff like I saw in the other PowerPoint. So let's go ahead and configure the second phase of this site to site sono. So if you do a show in crypto We can see the policy and perform a show crypto. Isaac's key to the camp. The key is there. So now let's go ahead and configure phase two. And to configure phase two, the first thing that we need to do is a crypto IPsec transform set. And we are going to just name it Tsets. And over here, we need to do the way that we're going to provide data confidentiality or encryption. And then we need to do data interpreting. We shot. And we also want to add a map. And the tunnel mode that we're going to use is going to be tunnel mode. Okay, so that is the first part. Then after that, what we need to do is to do a crypto IPsec profile. And we'll just call this IPsec profile IPsec profile enter. And then after we do that, all we need to do is just attach the transform set that we have created. So you do set transfer set and we want to attach that t set that we created. If you do a question mark, you can see if you can add a description, you can set the default commands and some redundancy and responder only or set some parameters.If you do set, you can see that you can set the group and the identity to profile. Isaccam profile, which we are not using, mixedmode, reverse route, and all that good stuff. So if you do exit, let's go ahead and say do Scripto as a camp profile. We're not going to be doing that. But if you were configuring an igress profile,there's a way that you could do it. Okay, so let's go ahead and do ashow IPsec or show the actual crypto IPsec profile. You can see the profile that we have created. We also do a show where we transform sets. Set of IPsec transforms. You can see the transform set here as well. You said ESP two, five, six, and a smack for data integrity. And this one is for data confidentiality. And we are going to be negotiating the mode of tunnel. Now let's go ahead into router two and let's configure that crypto ipset transform set. We are just going to call it TSET. And we're going to be using the same one. As a result, as 25.6% ESP with Shaw and H. Mac. The mode is going to be turno. Then we are going to create a crypto IPsec profile and we are going to recall just the IPsec profile. The names do not need to match. I'm just making it match so I don't get confused. And then we're just going to set the transfer set and we're going to add the transfer set that we have created and then we're going to end it. We're going to do a show crypto IPsec profile so we can see the profile we just created and also do a showcrypto IPsec transform set. There we go. And as you can see, it is matching.We are using the default, renewable default, which is transport. We are using this one, which is ESP 256 A yes. And H mac with ESP sharp. And you know that we are going to be using this transform set that is called TSET. If you go to the IPsec profile, you are going to see that we're using the transfer set, which is the T set. Okay, all good. Some move on. And like I said before, PSEC itself does not support multicast like ERP, orCF, or any of those dynamic routing protocols. And for us to be able to add dynamic routing protocols, we need to add a GRE tonal. And the way that you do that, you just go ahead and do a tonne interface, tonal zero. And over here we need to set the tonalsource and the source is going to be the IP address from where we are going to send that traffic, which is gigabyte zero zero, which is connected to the end point of router two, right? And then we need to do the tonal destination and the destination needs to point to the other side or to the other endpoint of the other two, which is 21 and two. Here it is. Okay, so after that is done, we need to do a tonalmode and we are going to use IPsec which IP before. And then we need to configure an IP address for this tunnel 51, otherwise it's not going to work. And lastly, we are going to attach the IPsecprofile so we can encrypt all the traffic that is going to go through this tunnel. So you're going to do tunnel protection, IPsecprofile, and we call this IPsec profile, and then Isacamp is going to turn on. AZAcamp has begun. After that is on, we are going to just exit and do router ERP. Because now, since we have this tunnel, we are able to route or send multicast packets. Therefore, we are able to send ERPor this dynamic router protocol called ERP. And I just do an auto summary. The network I need to add needs to be the network of the tunnel that we created, which is 510, right? And then the other network that we want to add is our local network. There we go. So we have added the tonal. We are not going to add the gigabit interface right here because we don't want it to go through the interface. Because if we go through the interface,we won't be able to use ERP. We wanted to send it to the GRE tunnel because the GRE tunnel supports multi-cast traffic. All right, so let's go ahead and do the same on router two config interface. Let's do a source. And the source of router two is gigabyte zerozero, which is a point in or connected to the other end point of router one. And then the tonal destination is going to be the IP address of the endpoint of router 121 one.Then we need to do the tunnel mode. Since we are going to use IPsec, we just put IPsecright here and we are going to be using IP before. So you just put IP four. Then we configure the IP address and then we do the tunnel protection, which is going to use an IPsec profile that we configure. And we call this an IPsec profile, so we can encrypt our data going through this tunnel. There we go. I sent copies of the tunnel change to save up. So that's good. Now we need to go ahead and do a router so we can send our multicast traffic through the tunnel and so we can form a new relationship. And do we need to use the same alternative system for EHRP? Because that's how it works. For OSPF, this number does not need to match,but for ERP it does need to match. Now the summary. The first network I want to add is the local network, which is 10100. And then the other network is going to the tunnel network. And after that, you form a network relationship. And here it is. As you can see, the dual five never change. Now we have an error of 50, that one ortwo, that we have formed a new neighbour ledger. If we do show IP address b neighbor, we can see that we have a neighbour relationship with router two. Okay, via the tunnel interface. Since it is via the tunnel interface, everything is going to be encrypted because we added the IPsec profile to that tunnel. And that's how it works. And you can do a Show IP into Show IP route and you can see that if I'm going to send traffic to zero, it's going to be sent via the tunnel. Therefore, since it's going to be sent via the tunnel, the traffic, it's going to encrypt it. And also, yeah, it is going to encrypt for router one, but for router two, it is going to be a little bit different. Display IP route The one that is going to encrypt it is whenever wesend traffic to one and two-one-eight. That is 10, which is we have 50. That one to one is 21. Okay? So now if you want to see your configuration version one, the first one, you can do a show crypto Isacamp SA for security associations. And you can see right here that we actually have two. To be brief, I tell myself, let me do a show. Okay, so we have these two destinations and this other destination. Let me make sure that my toner was configured correctly. We do a show run. I think this is from my previous configuration. So the destination is correct. Okay, so head for two. Let's go ahead and go to router one and do a show crypto Isacamp SA. We also have two. So that is good and that is for aggression one.If you want to see the IPsec orther phrase two, you can do a show crypto IPsecessay, which we're going to do in a minute. Show me the crypto IPsec essay and here it is,the IPsec SA, which is for phase two. And as you can see, we have already sent in a package. This is how many packages have been encrypted and decrypted. So, 58 and 48. And you can see that the local endpoint, the local crypto endpoint, is 21 for router one, and the remote is 21 for router two. The MTU is 1500. The source is telling you that the stuff is good over here. So it is working the way we want it to. So now what we want to do is we can also do it on water too. As a result, crypto IPsec SA As you can see right here, it has sent 61 packets that have been encrypted and decrypted 71 packets.We see no errors. No errors. So that's good. You can see the local crypto endpoint and the remote crypto endpoint, the Path MTU 1500. The IP MTU is 1500. The source gigabytes So it is working well. If you want to see that it is working, let's just go ahead and go to writer one and do a show crypto aperture. Again, you can see that it has 1078 packets. So if you do a ping and we want to pin 21, and if I pin 21, let's just go ahead and do it so you can see what I'm talking about. Display IP Route If we do a show IP packet or show IP route, you can see that with this, what's going to happen is that it's using AJRP, right? Because there is an ERP on that tunnel and it's going to send the via the tunnel. And remember, we attach the IPsec profile to the tunnel, so it's going to be encrypted. So if you go in and do a ping, let's go and ping ten. That's the one I want. We're going to repeat it 200 times. Then we're going to do a show on crypto iPad. You can see that it has encapsulated 292 packages and calculated 292 packages. Therefore, the tonal is working. That's going to do it. Repeat it 200 more times, and you're going to see that it's going to increase by 200 more. So you can see that it's working. And if you go to the other two, you can see right here that it also increased by $400, and it is increasing by itself because Ajrp sends hello packets. I think, if I'm not mistaken, it is every 10 seconds or every 5 seconds. I cannot recall that from my CCNA studies. But also, if you want to see the traffic being encrypted live, you can do a debug crypto engine package. So you can see that those messages are being encrypted. You can see that we cannot see what's going on because we are using IPsec to encrypt it,and therefore, you won't be able to see what's going on because it is being encrypted, right? So let's go do it too if you want to do a capture. So let's go ahead and sneak this network. So we're going to bring wireshark, see if we can sniff the network, right, and see what's going on. And as you can see right here, ESP is working. So whenever you click on ESP, you can see that everything is being encrypted. So you cannot read anything here because it is encrypted with ESP, right? And you can see that those packets actually keep coming in. This is due to your P sendinghello package every five or 10 seconds. Okay, so this is it for this video, guys. I hope you guys enjoyed this video. I hope you guys learn a lot.

10. Crypto Map vs IPsec Profile

Hello, guys. Welcome to a new video. And in this new video, I'm going to go over what crypto maps are and what IPsec profiles are, how they are used, and how they are different. So, because there's a lot, first, even for me,when I started doing this research, how crypto map and IPsec profile worked and how they were different. In Ike version one, you are allowed to use a crypto map. However, if you are using an iOS device, Cisco does not want you to use crypto map in Ike version two. If you're using a router, they want you to use the IPsec profile only if you are on the ASAFirewall. They want you to use the crypto map because ASAFirewalls only support the crypto map, and that's why they did not remove it entirely from Ike version two. So whenever you are configuring Ike version two, you are going to use an IPsec profile. What is an IPsec profile? What is a crypto map? So I was going to start with the crypto map. So crypto map, you have seen that available before, where I have configured Ike version one, and crypto map and crypto IPsec profile are one and the same. It is the legacy way, which is a map,and the new way, which is the profile. So the crypto map was basically for Ike version two. And the new way, which is the IPsecprofile, is now for Ike version two. As you can see here, the old way, which is a crypto map, and the new way, which is an ipsic profile, of configuring Ike phase two. Okay, Not Ike. Phase one Ike, phase two. And in the crypto map, you need to specify the following. So when you configure thecrypto map, you need to tell the router how to protect the traffic, which we use a transform set for, and what to protect, which we use in ACO, and what is the remote VPN peer. Those are the three things that we configure when we do a crypto map. If you have seen my video before, I have configured II to have done this before. And since you need to add an ACL, you need to create an ACL before it needs to be an extended ACL, because you need to specify the source in the destination. And since whenever you're going to configure crypto map,you need to configure ACL before you do that. So then you can attach that to the crypto map and also the remote VPN pier. You need to know the remote VPN peer and the transform set. So you need to create a transform set. And here is the configuration of the crypto map. As you can see right here, we first configure an extended access point. As you can see, this one, I'm permitting this over here, 10220 with a Walker Maxwell,and then 172, 16100, which is my destination. This is the source. And then I'm going to tell it, like, what do you want to protect, what do you want to transport the data? So the way you want to do that is by creating a transform set. So you do a crypto IPsec transform set and you give it a name and you encrypt the data. And then you do some data integrity as well, and you configure the mode. And then after that, we can just go ahead and create a crypto map. So we need to combine the ACL, which is this one here, the transform set, which is this over here,and the peer IP address that you need to get. So to do that, you do a crypto map and give it a name, like VPN, and then the sequence number, which was ten. And then you do IPsec, Isaac, and then I'm telling if the traffic matches. So you do a match address C mapacl, which was that extendedacl that I created, and then go to this location, which is a set pair to this location. And then we use the following encryption, which is the CMAP T set, which was the transform set that I created. And then after that, you go into the interface and you activate the crypto map by attaching that crypto map to the interface by doing a crypto map VPN. So that's how the crypto map is configured. I think it's a lot more steps backward than what the profile is. And the profile is the same. Like I said, the same goes if you use IPSEprofile, where you need to specify the same thing. So how to protect the traffic? So we're still going to be using the transform set. So we need to create a transform set when we're going to create an IPsec profile and then you need to tell it what you want to protect, which no longer requires an ACO. And I will tell you why, on the next slide, we no longer require an ACO because it is based on the routing costs. On routing costs. So the IPsec profile is always applied to a GRE PTI interface. So we need to get an interface tunnel, whatever number you want to give it, so you have a logical interface associated with the IPsec tunnel. So you no longer need an ACL because everything that goes through that tunnel and the tone is going to have a source on the destination IP and everything that goes to the tunnel is going to be encrypted. So we don't need an ACL. So the source and destination have taken the place of the SEO, and the remote peer is no longer specified, because when you do a source and destination, you also add an IP address. Actually, it's the other way around. So, whenever you do it, you don't need an ACL because the GRE and VTi interfaces each have their own IP address, which replaces the ACL. And for the peers. We no longer need a peer like we did over here, but we set the peer to this. We no longer do that because in German you specify the destination and it can be statically configured or dynamically learned as well. So you don't need the ACL for the IPSAprofile and you do not need the peer either, because everything is configured by using the GRE interface. And here's how you can configure the IPsec profile so you still use the only thing the crypto map uses, which is the transform set. So we configure a transform set, we encrypt it whatever we want, and then we run a hashing algorithmfor data integrity and we tell that we're going to use the mode that transport autonomous. And then after that, instead of a crypto map, we create a crypto IPsec profile and we give it a name. And then after that, all we need to do for this profile is set the transform set. So this transform set, since we are going to be using it, we are going to attach it to this profile, and after this, it's attached to the profile. Now the profile is already configured and all you need to do is to configure interface tunnel one, which is a GRE tunnel. You configure the tone source, which is going to be the local gigabyte interface and the destination, which is for the one or two. And these two right here, these two commands, replace the ACL for the crypto map. Okay? I'm just telling you that in this one, the tournament, we're going to use the GRE IP. GRE is the payload and the transfer is IPV four, which we give it a command right here for IP. And then when we set the IP address of the actual tunnel, while we replace it right here,we are replacing the actual pier from this configuration. So the set pier to this one right here on the crypto map is being replaced by this IP address. Actually, I got confused again. So it's all the way around. So the total source and the total destination are the ones replacing the pier. So whenever we configure this total destination and we give a destination, this one replaces the one on the crypto map and the SEO is replaced by this IP address of 50, which is given to this tonal interface. So that's going to be the IP address interface. And this one is replacing the ACL from the crypto map, which is this ACL right here, which is being attached to the crypto map right here to match a C map ACL. That's what it is. Okay? And then after you configure that, you need to go ahead and attach the tunnel protection, which uses the IPsec profile, and then we attach the profile, which also has an attached transform set. So you create a transform set and create a profile. In the profile, you attach the transform set, and you create a tonal. And in the tunnel you attach that profile, the IPsecprofile, which has the transform set and the tunnel's destination, which was replaced by the set peer address, and it has its own IP address, which replaces the ACL. So this one replaces the peer and this one replaces the peer addrSo now, moving on, and as you can see right here, you can compare side to side. As you can see on the crypto map side,we actually configure, like I said before, that access list, that extended access list, which is being replaced by this IP address right here. So we no longer need that, right? We still use the transform set, as you can see right here, the first one that we configure with the mode of tonal. And then this crypto IPsec profile is replacing this crypto map right here. So we no longer need this crypto map. So for anything inside the script onmap, we do not need it. And then we also do not need to add the transform set to the crypto map, right? Because that's been replaced with the Ipsq profile, we just add that transform set to the profile. And also, we do not activate that crypto map because on the profile, we're not using a cryptomap, we are using an actual tunnel. So since we created this logical interface, over here is being replaced by this. So we no longer need this either. Okay, so I hope you guys learn a little bit of what I was saying. I know it gets confusing a little bit. I got confused twice, but I was able to clarify what I was saying, and hopefully you guys learned the difference between the crypto map and the IPsec, what is being replaced by the IPsec, and how you can configure an IPsec. In the next video, we are going to configure an aGRE tunnel on top of IPsec using the profile. We're not going to script them,we want to use the profile. And it's going to be the same as the commands that I have right here.

11. Easy Explanation of IKEv2 and IPSEC Configuration

Hello, guys. Welcome to a new video. And in this video we are going to go over this for the CCMP security exam, for the Si MoS exam. And we are going to go over configuring Ike vic two for the IP second permutation. And we're only going to be doing IP before, okay? So I'm going to go over everything. We are going to reconfigure, and the first thing that we are going to configure is the I Agree to two proposals. And in that regard, I agree with two proposals: we will propose to the router that we will be connecting to how we will encrypt to provide data confidentiality. So we are going to do three desks and then data integrity, which is going to be ND five, and then the DC home and group, which is going to be DFMAN group two. And then after that, after that proposal is configured, we are going to be configuring the Ivy Two policy. And in the Ivy Two policy, what we're going to do is just attach the proposal. Whenever we configure that proposal in the Ivy Two, the proposal is to go inside the Ivy Two policy. So let's go ahead and put this over here, and then we're going to go ahead and grab it and move it if you're able to do it. No, not like that. It is a little bit hard to grab it on this website. Just give me one moment. There we go. Why is it doing it like that? That's not what I want. Where's the little hand? Not like that either. There we go. So whenever we configure that proposal in the IG Two policy, we are going to include it in the IG Two policy. Then after that, we are going to move on and we are going to configure the other two key rings and the key ring. We are going to add the keys that we're going to use to authenticate in that tonal. And inside that key ring, we are also going to add that peer and then that local remote key, like I said before. And then after that is configured, we are going to be configuring the Igree Two profile. And inside the Igry Two profile we are going to have that I agree to cure. So let's go ahead and move this over here because we need to add the IG Two key to the Ivy Two profile. And in the IG Two profile, we're also going to tell the router how we are going to authenticate, which is going to be using a pre-shared key. We are going to attach a queue and we are going to provide those remote identities and those local identities as well. Then we're going to move on and configure the IPsec profile. And inside that IPsec profile. What we have to do We want to create that IPsec profile. Or actually, before we do that, we need to configure the IPsec transform set before we do that IPsec profile and inside that transfer set. What we're going to do is we're going to explain how we are going to encrypt also for data confidentiality and how we also need to provide data integrity. So we're going to be using Shot with H Mac for that. And then after we do that transform set, we are going to configure the IPsec profile, and inside that IPsec profile we need to add the IPsec transform set and also the IGtwo profile, which has the IGree two keying inside. So let's go ahead and point to the IPsec profile. The IPsec transfer settings will be inside the IPsecprofile. and also see if I can grab it. Okay, so it is down here. That's what it is. So let's go ahead and move it right here and let's point to the IPsec profile. There we go. And then we're going to configure the tonal, and inside the tonal we need to add that IPsec profile. So let's go ahead and do that. All right, let's go ahead and turn it around and point to the tunnel. There we go. That's how the configuration is going to be. So let's go ahead and see my topology. That's my topology that I have. I have configured all the IP addresses and all that. The interfaces are up and running. So let's go ahead and start with that configuration. Okay, so, as I previously stated, we will begin with the IQ two proposal and then move on to the IV two policy. Let's go in and start that enable configt.So let's go ahead and do a crypto IP two proposal and we are just going to call it proposal one. And as you can see right here, the IGU two-proposal must either have a set of encryption algorithms other than AES and all that and therefore have a configure So let's go ahead and do the encryption method, which is going to be three deaths. And then we need to provide integrity and then integrity, which means the Shah or the hashing algorithm, and we're going to be using that MD five and then the group number is going to be group number two exit, and then after that we are going to be configuring the Igree two policy and then we need to attach that IV two proposal to the I agree two policy. Okay, So let's go ahead and do that. You do a crypto, agree to the policy, and let's just call it power one. And inside here, what we need to do is actually let's just not do that. Let's go ahead and do the match address, and the local address is going to be entered, and that's it for that. So you need to put in your local address from where you are going to be using it to connect to router two, right? So that is good. And then, like I said, we need to attach that IP to the proposal. So let's go ahead and do that. So we are just going to do a proposal and tell them that we are going to be using that proposal that we just configured, which is pro-one pace. Okay? So after that is done, what we really need to do is let's go ahead and see my drawing. We must proceed with configuring the aggregate keying. So let's go ahead and do that. So you're going to the Crypto IV two key ring. We'll just go ahead and configure a keyword name. It's just going to be called a key ring or an IGB. And inside this queue, we are going to queue for peer two and peer two. Or actually just do peer two, which is the name of the next router. And over here you need to put the address of R2, which is and then we need to say that we are going to be authenticating using the precir key with the local key or actually using R1, which is going to be the local or local key. And then for the remote key, it's going to be R2. And this needs to match whenever we configure R two. It needs to say that the remote is going to be using R1 and that the logo is going to be R2. Okay, exit. We are done configuring the key ring. So after that is done, we have left the key ring. We need to configure the IG two profiles. So let's go ahead and do that part. I agreed to profile a crypto I do. And let's just call this "I agree to the profile." So inside here, what we need to say is, first of all, we need to do a key ring local and we need to attach that key ring, which is called an I agree to key ring, right here. Then we need to create some identity. So the first one is the match identity of the remote, the identity of the remote which is going to have an address of 29 one A two. And then we need to do the location, which is an address of 20. We need that one for the local site because we are configuring the R one. All right, that is good. So we are done with that part. So after that is done, let's go ahead and configure. Let's see what we have next. So we did the IB two-care and the IV two-profile and then we attached the IP two key ring. So that's done. Let's go ahead and configure the IPsec transform set. A collection of Crypto IPsec transforms We are going to call it TSET and we're going to have data confidentiality with AES two, five, and six, and then ESP for data integrity and smack, and all of these need to match on our router too. All right, we are done with that. Now we need to go ahead and create... what is it that we need to create? The transform setting is done. We need to go ahead and create that IPsec profile. We do a crypto IPsec profile, and we're going to call this an IPsec profile, and we just need to set the transform set, which we call the T set. And then we need to set the IG two-profile to whatever we name that I agree to, which is I agree to the profile. There we go. So that is done. And after that is done and completed, what we need to do is add the total source, which is going to be right. Yes, that is correct. And then we need to go ahead and create the tonal destination, which means we need to do the tonal mode, which is IP SEC. There you go. It is a complete command. It's like this: in turner mode IPsec using IPV4. And then we need to configure the IP address for this, which is going to be 50. One to provide a zero. And then we need to add that IPsec profile to it. Tonal security IPsec Profile And then we need to add that IPsec profile that we just created, which is the IPsec profile. Done. There it is. So after that is done, we need to go ahead and we are going to be using Let's do a routerp 18. In conclusion, we need to add a couple of networks. For router one, we need to add this network that we have over here. 192. One, six, eight, that's 10. And we also need to add the network of the tunnel. So 50, and that one is zero. And actually, for this one, it's going to be like this. All right, so we are done with the configuration of R one. If you want to do some, you can do some show commands, but it is better if you do it after R Two is configured. So let's go and configure two. So for R Two, the first thing I need to create is a crypto. Two of them have my support. And it's going to be the proposal. And the proposal is going to be, well, I'm just going to call it Pro One. And we are going to propose the encryption key that needs to match with whatever we configure on the other side. So make sure that it matches the integrity of MD five. And then what is it? The match for the group is two. Alright. And then we need to do a cryptograph. I accept the policy. We're going to call this "Par One." And what we need to do from here is to add that proposal that we just created, which is Pro One. And we need to match the local address. The address is 29. One, two. Alright. So after that was done, we are supposed to go ahead and create the crypto IGV two keyring and we're going to call this the IG two key ring. Inside this key ring we are going to mention the peer, which is our one authentication, or is that authentication? Let's see, the preserve key for the local is going to be R two keys, and the pressure key for the remote is going to be R one key, and then the address for that is going to be I want, so that's gone. After that is done, we need to go ahead and configure Crypto IV's two profiles. We're going to call this the IV-2 profile, and inside this IV-2 profile we need to tell how we're going to authenticate. We're just using it for the local pressure key authentication for the remote pressure key. Then we go in and attach that cured local hearing, which we call Ivy Two Keys. Then we have to create the match identity for the remote, which is actually we need to put in the address, and then the identity for the local is going to be good. Moving on So now after that, it's time to configure the crypto IPsec transform set. This one also needs to match, so ESP. Actually, we need to name it first. TSET I believe it was called ESP AES. Let's just go into verifying the show crypto IPsec transform setup so as with H Mac, two-five-six, and then for data integrity shot with H Mac exit. Then let's go into a crypto IPsec profile and we're going to call it the IPsec profile, and in here we need to set the thetransform set, which we call TSET, and then we need to set the IP two profile, which we call the IQ two profile. All right, after that is done, let's go ahead and create a tono zero source KW source destination two. Alright, and then we do. After that is done, we need to do the IPsec with IP, and then we just do the IP address. Then we just add the telecommunication protection, which is the IPsec profile, and we need to attach that IPsec profile that we created. Right then, today we need to do a routerERP. This one is to match. I believe it was 18. Let me verify that. So, the IP route will consist of 1818watt interfaces, and so on. Good, it is 18. No, I would have said that the first network that I want to add needs to be this network over here. Ten to 100, two by five. Then the next network is the total network of 50, and that should create an ERP or it should just do it. showrunner and show IP interface tonal zero; this tonal is active but not the line protocol; show IP interface brief Let's just let it run. We are having some issues here, so let's just do section tonal so we configure the source and destination. Okay, the destination is wrong. That's why let's just do configure t. tonal. Why didn't you guys tell me? Zero tonal interface You just shut it down and then let's do this destination and then Luton destination with no shutdown. And that should bring up the ERP. There we go. neighbour relationship. Good. So if we do show up to the neighbor, you will see that we have a neighbour with a tone. so cool. So now if you want to see the IP too and all that good stuff, you can do a crypto IV two essay. Maybe showcrypto. IGV has two essays. We don't have any. I just did a "show crypto IPsec SA." And you can see we have encapsulated 15 packets and we have to calculate 15 packets. So that means that it is working. You can see the local identity is this and that. The current pier is 22, which is correct. It's a poor 500. Because we are now using that. We're not using network address translation at the local endpoint good.Remote encryption endpoint So it looks like it is working. What if we do a ping? Let's just go ahead and do ping ten one with a source of 8001 and we want to repeat it 100 times. Okay, And now let's show IPsec IPsec si. You can see that since we sent 100 packets, a hundred were encapsulated and 100 were decapsulated. But it incremented because we are sending an AGP package and it is being encrypted. And if you want to see that encryption going on,you can do a debug crypto engine packet and that's going to show you all the encryption happening. There we go. So, as you can see, it is working. It encrypts everything. We have some errors right now that we can take a look at later. The CES switch failed with less than that,but it is encrypting everything you're sending. If you want to turn it off all together, There we go. That turns off the encryption or the debugging on all.Good. So, as you can see, we have successfully configured, I agree, two. And in this video we went over and configured the IQ two proposal where we put encryption three, desk integrity MD five. And then after that, we created the policy, and within the policy we attached the two proposals. Then we configure the IV to carry that key that we use to authenticate. After that was done, what happened was that we created the two profiles and we did all the good stuff. And then we attached that key ring, then we created the IPsec transform set, then the IPsec profile inside the IPsec profile, we attached the IPsec transform set and the IQ two profiles, and then we created a tonal. We created an IPsec profile. So.

ExamSnap's Cisco 300-730 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Cisco 300-730 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.